Using a Raspberry as a Linux Router with Pi-Hole


This morning I re-installed a pi-hole and I'm trying to set up my raspberry as a Linux router.

Here's my home network:

                             WAN                                    LAN
[InternetRouter] <--------------------------> [PiHole] <--------------------------> [Wifi-Router]
[]        [wan:] -------- [lan:]        []

The Pi has 3 network interfaces, eth0, wlan0 and the USB ethernet adapter eth1.

I disabled the wlan0 interface, because I don't need it. In order to do so, edit the /boot/config.txt and add a line: dtoverlay=disable-wifi. You may also disable bluetooth radio by adding: dtoverlay=disable-bt

Then, in order to help identifying those NICs, I created this file: /etc/udev/rules.d/10-network.rules

  • SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="xx:xx:xx:xx:xx:xx", NAME="wan"
  • SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="xx:xx:xx:xx:xx:xx", NAME="lan"

You'll find the proper mac addresses using ifconfig.

  • lan is the interface connected to the LAN network
  • wan is the interface connected to the WAN network

Both interfaces are configured with static IP addresses in the following files:

  • /etc/network/interfaces.d/lan
    auto lan
    iface lan inet static
  • /etc/network/interfaces.d/wan
    auto wan
    allow-hotplug wan
    iface wan inet static

I also disabled IPV6 and enabled IP Forwarding in /etc/sysctl.conf, add:

  • net.ipv4.ip_forward=1
  • net.ipv6.conf.all.disable_ipv6=1

Then run those iptables rules:

  • iptables -t nat -A POSTROUTING -o wan -j MASQUERADE
  • iptables -A INPUT -i lan -j ACCEPT
  • iptables -A INPUT -i wan -m state --state ESTABLISHED,RELATED -j ACCEPT
  • iptables -A OUTPUT -j ACCEPT
  • iptables -t nat -A PREROUTING -i lan -p udp ! --source ! --destination --dport 53 -j DNAT --to
  • iptables -t nat -A PREROUTING -i lan -p tcp ! --source ! --destination --dport 53 -j DNAT --to

Then in order to restore those iptables rules at each reboot:

  • sudo apt install iptables-persistent

Save those rules in a file:

  • iptables-save > /etc/iptables/rules.v4

Reload the service:

  • service iptables-persistent reload

Disable dhcpcd service:

  • sudo systemctl disable dhcpcd.service

to disable the wi-fi interface on a raspberry pi, edit the /boot/config.txt and add a line

similarly you can disable the bluetooth radio by adding

1 Like

I got something working by flushing out the iptables rules ! Apparently there is something wrong in them.

Also, I had to disable dhcpcd:

  • sudo systemctl disable dhcpcp.service

Things left to do:

  • If a client set a custom DNS server, it bypass the pihole. How can I prevent that?


  • iptables -t nat -A PREROUTING -i <local-nic> -p tcp ! --source <local-ip-of-pihole> ! --destination <local-ip-of-pihole> --dport 53 -j DNAT --to <local-ip-of-pihole>
  • iptables -t nat -A PREROUTING -i <local-nic> -p udp ! --source <local-ip-of-pihole> ! --destination <local-ip-of-pihole> --dport 53 -j DNAT --to <local-ip-of-pihole>

In my case, I had to do:

  • iptables -t nat -A PREROUTING -i eth0 -p udp ! --source ! --destination --dport 53 -j DNAT --to
  • iptables -t nat -A PREROUTING -i eth0 -p tcp ! --source ! --destination --dport 53 -j DNAT --to


 ~  nslookup 


Address: ::
 ~  nslookup


Address: ::

When disabling pi-hole:

 ~  nslookup

Non-authoritative answer:
Address: 2606:4700:7::a29f:8906
Address: 2606:4700:7::a29f:8806

Non-authoritative answer:

Is your Wifi router in AP mode?

No, it's actually in Bridge mode. I haven't found a way to assign an ip to it yet.

I had that kind of issue with a Netgear Nighthawk.

I found out to try AP mode and everything fell into place.

I assume it is wired, because you said you disabled WiFi on the Pi.

In layman's terms:
How did you get one Ethernet port on your lan side to accept two IP addresses? One for the router and one for the Pi-Hole.

My Pi has 2 ethernets. 1 on the motherboard, 1 in USB (

What I meant is:

How is the router part and the pi-hole part sharing the same address on the LAN side?

The router is not in the lan side, it's the wan side.

The wan side is on the network while the lan side is on



I thought you had your Pi listening and routing on the same port and address.

So what you did was lie to the Pi and tell it the LAN side of your ISP gateway/router was WAN then told your pi-Router to treat that traffic as WAN?

I'm, fairly, sure if you switch the wireless router to AP mode, it will allow you to assign an IP address. Especially since the device in front of it is, essentially, the gateway as it sees the network.

No no.

Yeah I guess this is something like that. Have you seen the network diagram on the first post? It should be enough to explain what's going on.

I guess I should try indeed, haven't had the time to do it yet.

Yeah, but you labeled it as wan and I noticed it was a local IP address and I assumed ETH1 was just for the WIFI router and I did not understand you had isolated the two; I thought you had somehow gotten the PI to see all that with one connection because I was caught up with another thread that was trying to do the same thing on one port and their wifi on Starlink.
I still do not understand how DNS requests from 192.168.2.x are getting routed by but after reading your posts, a few times, I'm guessing you are using MASQUERADE and PREROUTING to make it happen.

I get the concept, but my Linux is not that good.

I linked to your post and just started asking questions.


See if you can help this person:

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.